I’m a pentester – that is, a professional penetration tester. Some call me an ethical hacker, a white hat, or red teamer. In the heat of the moment, I’ve been called much worse – because I’ve spent countless hours attacking organizations like yours with ransomware.
My job is to keep my clients safe by helping them harden their defenses. Based on my experience as a ransomware attacker, I’ve come up with these five questions that you should ask yourself:
1. Can I breach your perimeter?
There are countless ways to breach a perimeter. I can look for a SQL injection in one of your web applications. I can try to guess credentials for your VPN. Or I can look for an error in your firewall configuration that gets me access to a sensitive service or application.
As an attacker, I’m less likely to target your company, scan your perimeter for issues, and then try to exploit one to get inside. Instead, I’ll treat the entire internet as my target. It’s easier to scan for one specific vulnerability I’m really into, find 100 systems that have that vulnerability, and then investigate the companies that own those 100 systems. In other words, I’m not necessarily going to target you as an organization. I’m going to target you as the owner of a vulnerable system.
2. Can I phish your users?
Sure, you’ve implemented defenses that make it more difficult and time-consuming to successfully phish your users. But domains are cheap, and emails are free, so I’m still going to try. Plus, phishing is a game with unlimited retries — and I only need to get one user to click once, while you need your users to not click every time. I can just keep trying different iterations of my pretext/payload or move on to another target. If I get one click, it’s game on.
You know what kinds of defenses to put in place. You need strong endpoint controls, including EDR and restricted permissions. You need email filtering that checks message attributes such as the age and reputation of the source domain. And, of course, you need to train all users—from your top executives to your new hires—to ensure they understand good email hygiene.
3. Are your critical backups viable and well-protected?
Compromised backup infrastructure is the kiss of death in a ransomware attack. If I can get to your critical backups and delete or encrypt your backup files, you will lose the only option you have to restore your business. That will dramatically increase the likelihood of a big payday for yours truly.
To maintain a failover option, you must protect backup infrastructure. Multifactor authentication is important, and so is segmentation. Your backup servers should be on a separate domain and not accessible over the network by every user in your organization. Also, it is essential that backup infrastructure does not share credentials with other production systems.
One more caveat: Your backup systems must work. Make sure whoever is responsible for executing and testing backup systems does so regularly. You don’t want to find out there’s a glitch in your recoverability when you’re smack dab in the middle of a ransomware attack.
4. How long can I remain undetected?
Here’s one of the most important lessons I’ve learned from my time as a pretend ransomware attacker: the more time I have at my disposal to explore and probe your environment, the greater my chances of success. If I can be detected and evicted within an hour after I gain a foothold, I usually don’t get much chance to pull off a successful attack. But if I get several days to move laterally and compromise additional systems, I almost always reach the point where I can do something very harmful.
Fast, accurate threat detection is critical to your anti-ransomware efforts. You need lots of telemetry from across your endpoints, network, and cloud. You need to be able to make sense of that telemetry, without getting overwhelmed by alert fatigue. And you need to immediately translate your discovery and identification of any active threat into decisive action to neutralize it.
5. Is my target flying solo?
The truth? Quite frankly, if it’s just me and my team against the typical understaffed SOC, we’ll almost always win. That’s no insult to SOCs – it’s just a numbers game. But clients who have already been through pentesting and Red Team adversarial tactics are tougher to crack. That’s mainly because they’ve already let us take a crack or three at them—so we’ve already discovered where they’re vulnerable and helped them remediate those vulnerabilities.
The same is true of virtually any other attacker. If you’re not the easiest target in the world, most attackers will gladly move on to a more vulnerable environment.
The good news is that you don’t have to be perfectly bulletproof. If you can slow attackers down fast, chances are they’ll run to the next, easier mark. And that may ultimately be your best defense.